mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-22 19:35:34 +00:00
Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted
* restricted/pr/669: Zeroize local AES variables before exiting the function
This commit is contained in:
commit
baf23000e1
|
@ -8,6 +8,14 @@ Security
|
|||
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
|
||||
to have only large prime factors), and then, by brute force, recover the
|
||||
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||||
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
|
||||
mbedtls_internal_aes_decrypt() before exiting the function. The value of
|
||||
these variables can be used to recover the last round key. To follow best
|
||||
practice and to limit the impact of buffer overread vulnerabilities (like
|
||||
Heartbleed) we need to zeroize them before exiting the function.
|
||||
Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
|
||||
Grant Hernandez, and Kevin Butler (University of Florida) and
|
||||
Dave Tian (Purdue University).
|
||||
|
||||
Bugfix
|
||||
* Remove redundant line for getting the bitlen of a bignum, since the variable
|
||||
|
|
|
@ -918,6 +918,18 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
|
|||
PUT_UINT32_LE( X2, output, 8 );
|
||||
PUT_UINT32_LE( X3, output, 12 );
|
||||
|
||||
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
|
||||
|
@ -986,6 +998,18 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
|
|||
PUT_UINT32_LE( X2, output, 8 );
|
||||
PUT_UINT32_LE( X3, output, 12 );
|
||||
|
||||
mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
|
||||
mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
|
||||
mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
|
||||
mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
|
||||
mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
|
||||
mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
|
||||
mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
|
||||
|
||||
mbedtls_platform_zeroize( &RK, sizeof( RK ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
|
||||
|
|
Loading…
Reference in a new issue